Tuesday, April 2, 2013

Vulnerable Word Press plugins

Vulnerabilities in Word Press plugins according to CVE

Malicious Word Press plugins

Word Press is one of the biggest and most popular blogging platforms. It has a lot of advantages. It is free and easy to deploy. "Time to launch" is very short and usually does not require any special skills to create blog for the first time. Bare-bone WP installation is rarely what will satisfy, even, an average blog owner. In order to enrich user experience and to offer extended functionality, they are offered the constantly growing in numbers plugins and themes. Even though themes are prone to hacking as well this post covers plugins only. That's because according to our statistics vulnerable plugins are the main reason, after the outdated WP installation, for the hacking of Word Press based websites. Some malicious WP plugin cases are covered in other posts(e.g. http://quttera.blogspot.co.il/2013/03/Malicious-WordPress-plugin-using-dynamic-fromCharCode-method.html or http://quttera.blogspot.co.il/2013/03/malicious-wordpress-plugin-detection.html)

Either designed to compromise the victim at the first place or containing serious security flaws as a result of bad testing, such plugins are used for spamming, malicious re-directions, drive by download attacks and other malicious activity.

Known vulnerabilities in Word Press plugins

In this post we will refer to the known vulnerabilities as submitted to National Vulnerability Database. The query search for "Word Press + plugin" returned 207 matching results. But that's statistics for all time. 

Let's do the search for last three months:

Search CVE and CCE Vulnerability Database


The query returned 19 matches:

Vulnerabilities in Word Press plugins. Search results for last 3 months.






The majority of the vulnerabilities allow attacker to perform Cross-site scripting (XSS). Others open "holes" for hackers to: obtain configuration information, bypass authentication, obtain access via subsequent requests various scripts, inject arbitrary web script or HTML and e.t.c...

How to avoid vulnerable or malicious Word Press plugins?

First of all Word Press community does its best to validate and check the plugins that are published. Unfortunately, it is very huge effort and won't completely solve malware problem.

  • So spend some time reading about plugin that you're interested in and user reviews. 
  • Go to plugin home page and see who developed it. 
  • Do the search in CVE for this plugin to make sure there no known/ open vulnerabilities. Such awareness will save you from headache of dealing with malware consequences later. And it won't cost you money. 
  • Use vulnerability scanners, such as GamaSec to check your website and to receive report with issues that can be fixed. 
Finally, to make sure your blog does not contain malware just scan it automatically with our free plugin.